Skip to main content

Cisco CVE-2026-20113

| EUVDEUVD-2026-15443 MEDIUM
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-03-25 cisco
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:16 euvd
EUVD-2026-15443
Analysis Generated
Mar 25, 2026 - 16:16 vuln.today
CVE Published
Mar 25, 2026 - 16:08 nvd
MEDIUM 5.3

DescriptionCVE.org

A vulnerability in the web-based Cisco IOx application hosting environment management interface of Cisco IOS XE Software could allow an unauthenticated, remote attacker to perform a carriage return line feed (CRLF) injection attack against a user. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by sending crafted packets to an affected device. A successful exploit could allow the attacker to arbitrarily inject log entries, manipulate the structure of log files, or obscure legitimate log events.

AnalysisAI

A CRLF injection vulnerability exists in the web-based Cisco IOx application hosting environment management interface of Cisco IOS XE Software that allows unauthenticated remote attackers to inject arbitrary log entries and manipulate log file structure. The vulnerability stems from insufficient input validation in the Cisco IOx management interface and affects a broad range of Cisco IOS XE Software versions from 16.6.1 through 17.18.1x. A successful exploit enables attackers to obscure legitimate log events, inject malicious log entries, or corrupt log file integrity without requiring authentication, making it particularly dangerous in environments where log analysis is relied upon for security monitoring and compliance.

Technical ContextAI

This vulnerability exploits improper handling of carriage return (CR, ASCII 0x0D) and line feed (LF, ASCII 0x0A) characters in user input to the Cisco IOx web management interface, a component of Cisco IOS XE Software (CPE: cpe:2.3:a:cisco:cisco_ios_xe_software:*:*:*:*:*:*:*:*). The root cause is classified under CWE-93 (Improper Neutralization of CRLF Sequences in HTTP Headers), which describes the failure to sanitize user-controlled input before it is processed in contexts where CRLF sequences have special meaning, such as HTTP headers or log files. The IOx application hosting environment is a containerized application framework within IOS XE that provides management interfaces for deployed applications; the vulnerability specifically affects the web-based management portal where insufficient input validation allows attackers to inject CRLF bytes that alter the logical structure of log files and bypass log integrity checks.

RemediationAI

Immediately consult Cisco's official security advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-crlf-NvgKTKJZ to identify the minimum safe version for your IOS XE branch and upgrade to the earliest patched release within your current release train (typically a y-stream or z-stream update). For devices unable to upgrade immediately, implement network-level mitigations: restrict access to the IOx web management interface to trusted administration networks via access control lists, disable the web-based IOx management interface if not required and use alternative management methods (CLI, management APIs with authentication enforcement), and ensure all HTTP traffic to the management interface is monitored for CRLF injection patterns (0x0D 0x0A sequences in URL parameters or POST body fields). Implement strict input validation and output encoding at the log ingestion point if logs are forwarded to external SIEM systems to detect and reject malformed entries. Verify the integrity of audit logs using cryptographic hashing or log aggregation services that enforce immutability.

Share

CVE-2026-20113 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy